OpenSSL 3.0 Officially Released After 3 Years of Development Work

The OpenSSL Software Foundation released a completely refreshed version of the OpenSSL software, that handles much of the encrypted communications on the Internet. After over 7,500 commits and contributions from over 350 different authors, OpenSSL 3.0 is finally here.
The post OpenSSL 3.0 Officially Released After 3 Years of Development Work appeared first on Linux Today.


Original URL: http://feedproxy.google.com/~r/linuxtoday/linux/~3/TaoS_Wb9ypk/

Original article

Sequoia: Linux kernel security flaw gives unprivileged users root access

A vulnerability has been discovered in the Linux kernel that makes it possible to gain root access on a number of popular distributions, including Ubuntu, Debian and Fedora. The flaw has been named Sequoia, and it exists in the filesystem layer. The security issue is thought to affect all versions of the Linux kernel released since 2014, meaning that a large number of distros are vulnerable. Specifically, the flaw is a size_t-to-int type conversion vulnerability that can be exploited to elevate privileges. See also: Microsoft has its own Linux distro called CBL-Mariner After waking up from PrintNightmare, Microsoft has a… [Continue Reading]


Original URL: https://betanews.com/2021/07/21/sequoia-linux-kernel-security-flaw-gives-unprivileged-users-root-access/

Original article

Google abandons URL shortening in Chrome

Google has called quits on the notion of truncating URLs in Chrome, according to a note from earlier this month in the Chromium project’s bug database.”This experiment didn’t move relevant security metrics, so we’re not going to launch it,” Emily Stark, a staff software engineer on the Chrome team, wrote in the June 7 entry.Android Police first reported on Stark’s note June 10.To read this article in full, please click here


Original URL: https://www.computerworld.com/article/3621640/google-abandons-url-shortening-in-chrome.html#tk.rss_all

Original article

21Nails Vulnerabilities Impact 60% of the Internet’s Email Servers

The maintainers of the Exim email server software have released updates today to patch a collection of 21 vulnerabilities that can allow threat actors to take over servers using both local and remote attack vectors. The Record reports: Known as 21Nails, the vulnerabilities were discovered by security firm Qualys. The bugs impact Exim, a type of email server known as a mail transfer agent (MTA) that helps email traffic travel across the internet and reach its intended destinations. While there are different MTA clients available, an April 2021 survey shows that Exim has a market share of nearly 60% among all MTA solutions, being widely adopted around the internet. The 21Nails vulnerabilities, if left unpatched, could allow threat actors to take over these systems and then intercept or tamper with email communications passing through the Exim server.

As Qualys explains in its security advisory, the 21Nails vulnerabilities are as bad


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/u1JpmeG8YOo/21nails-vulnerabilities-impact-60-of-the-internets-email-servers

Original article

GitHub Denies Getting Hacked

GitHub has denied rumors today of getting hacked after a mysterious entity shared what they claimed to be the source code of the GitHub.com and GitHub Enterprise portals. From a report: The “supposed” source code was leaked via a commit to GitHub’s DMCA section. The commit was also faked to look like it originated from GitHub CEO Nat Friedman. But in a message posted on YCombinator’s Hacker News portal, Friedman denied that it was him and that GitHub got hacked in any way. Friedman said the “leaked source code” didn’t cover all of GitHub’s code but only the GitHub Enterprise Server product. This is a version of GitHub Enterprise that companies can run on their own on-premise servers in case they need to store source code locally for security reasons but still want to benefit from GitHub Enterprise features. Friedman said this source code had already leaked months before due


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/8Mvb0xbzaZs/github-denies-getting-hacked

Original article

Google To GitHub: Time’s Up — This Unfixed ‘High-Severity’ Security Bug Affects Developers

Google Project Zero, the Google security team that finds bugs in all popular software, has disclosed what it classes a high-severity flaw on GitHub after the code-hosting site asked for a double extension on the normal 90-day disclosure deadline. From a report: The bug in GitHub’s Actions feature — a developer workflow automation tool — has become one of the rare vulnerabilities that wasn’t properly fixed before Google Project Zero’s (GPZ) standard 90-day deadline expired. Over 95.8% of flaws are fixed within the deadline, according to Google’s hackers. GPZ is known to be generally strict with its 90-day deadline, but it appears GitHub was a little lax in its responses as the deadline approached after Google gave it every chance to fix the bug. As detailed in a disclosure timeline by GPZ’s Felix Wilhelm, the Google security team reported the issue to GitHub’s security on July 21 and a disclosure


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/wkUmh3o9W84/google-to-github-times-up----this-unfixed-high-severity-security-bug-affects-developers

Original article

‘Google App Engine’ Abused to Create Unlimited Phishing Pages

Google’s cloud-based service platform for developing and hosting web apps “can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products,” reports Bleeping Computer, citing a startling discovery by security researcher Marcel Afrahim:

A Google App Engine subdomain does not only represent an app, it represents an app’s version, the service name, project ID, and region ID fields. But the most important point to note here is, if any of those fields are incorrect, Google App Engine won’t show a 404 Not Found page, but instead show the app’s “default” page (a concept referred to as soft routing)…

Essentially, this means there are a lot of permutations of subdomains to get to the attacker’s malicious app. As long as every subdomain has a valid “project_ID” field, invalid variations of other fields can be used at the attacker’s discretion to generate a long list of subdomains, which


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/XWNb_udkv0g/google-app-engine-abused-to-create-unlimited-phishing-pages

Original article

QR code use grows in popularity but poses hidden risks

The use of QR codes has risen during the pandemic as they offer a perfect solution to contactless interaction. But many employees are also using their mobile devices to scan QR codes for personal use, putting themselves and enterprise resources at risk. A new study from security platform MobileIron shows that 84 percent of people have scanned a QR code before, with 32 percent having done so in the past week and 26 percent in the past month. In the last six months, 38 percent of respondents say they have scanned a QR code at a restaurant, bar or café,… [Continue Reading]


Original URL: https://betanews.com/2020/09/15/qr-code-popularity-risks/

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: